01-27-2004 08:23 AM
I am setting up a proxy server to filter web traffic. I have added an access-group on the pix to control access on the inside interface.
Here is what I have added:
access-list acl_in permit tcp host MyProxyserverIPaddress any eq http
access-list acl_in permit tcp host MyProxyserverIPaddress any eq https
access-list acl_in permit icmp any any
access-list acl_in permit ip any any
access-list acl_in deny tcp any any eq http
access-list acl_in deny tcp any any eq https
access-group acl_in in interface inside
I want to allow only to the proxy server to have outbound access for http/https traffic. All client must configure their web browser with the ProxyserverIPaddress. If any client attemps outbound access to the web http/https their traffic should be blocked at the pix. Only client with the proper web browser proxy configuration will be aloud to access the we through the proxy server using the ProxyserverIPaddress.
Only the proxy server should be permitted outbound access to the web (http/https traffic).
Even though I have applied this access group. Clients can still access the web with out using a proxy server.
I have written the config to mem and reloaded the pix.
Any suggestions?
01-27-2004 09:03 AM
Hi, try the following...
access-list inside permit tcp host
access-list inside deny tcp any any eq www
access-list inside permit ip any any
Now bind the above ACL to the inside interface with:
access-group inside in interface inside
Remember to save with cmd: write mem and also issue cmd: clear xlate,
Bestway to write the above is on a notepad first and then paste back onto the PIX config in config mode.
Use - no access-list inside - as the first line above before you paste back to PIX in config mode, i.e.
no access-list inside
This way the pix will clear the old ACL with the new ACL.
Remember if you make any modifications to ACLs or static commands ALWAYS issue clear xlate to activate the new commands.
Hope this helps - Jay.
PS. This is the wrong area to post this question, should have posted this on the SECURITY-->Firewall section.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide